Re: ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?
From: Dmitri Gavrilov [MSFT] (dmitrig@online.microsoft.com)
Date: 02/19/03
- Next message: Ben Schorr [MVP - Outlook]: "Re: EVENT ID"
- Previous message: Rick: "Always Ask Before Opening This Type of File"
- In reply to: Angel_Venjador: "Re: ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> Date: Tue, 18 Feb 2003 19:58:36 -0700
Yes.
-- Dmitri Gavrilov SDE, Active Directory Core This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Angel_Venjador" <notengo@nohay.es> wrote in message news:u5yj2cl1CHA.2472@TK2MSFTNGP11.phx.gbl... > and the ACLUI will keep showing up the AD users 'correctly'? > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> escribió en el > mensaje news:#f3KUAG1CHA.1628@TK2MSFTNGP10... > > Yes, you can decommision the old domain, and the users will retain all > > access they used to have, including file access. You can verify this by > > taking the NT4 DCs offline. > > > > -- > > Dmitri Gavrilov > > SDE, Active Directory Core > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > "Angel_Venjador" <notengo@nohay.es> wrote in message > > news:Ox$ZhjB1CHA.1900@TK2MSFTNGP10... > > > Thanks for your answer Dmitri. > > > > > > OK, this is now clear. And if I decomission the old NT4 domain this > should > > > remain the same shouldn't it? I mean, If for example I keep the old > acl's > > in > > > some directories in a server that is changed from beeing a DC in NT4 > > domain > > > to a DC in AD, I'll keep seeing my users correctly yes? > > > > > > (the little problem I have noticed is that if you give permissions to > both > > > the NT4 user and the migrated AD user, the AD user appears twice in the > > ACL. > > > But this isn't really a problem in fact). > > > > > > > > > > > > > > > > > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> escribió en el > > > mensaje news:#P#3CL40CHA.1636@TK2MSFTNGP10... > > > > When you migrated the user, the NT4 sid that was assigned to him was > > added > > > > to the new w2k user's sid history. ACLUI cracks the SID it got from > the > > > ACL > > > > against the AD, and it is able to find the new user by the old SID, > > > because > > > > it also checks the sid history when attempting to crack a sid to a > user. > > > > > > > > -- > > > > Dmitri Gavrilov > > > > SDE, Active Directory Core > > > > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > Use of included script samples are subject to the terms specified at > > > > http://www.microsoft.com/info/cpyright.htm > > > > > > > > "Angel_Venjador" <notengo@nohay.es> wrote in message > > > > news:OeL3MS00CHA.2552@TK2MSFTNGP12... > > > > > Hi, > > > > > > > > > > > > > > > > > > > > we're currently migrating our NT 4 domain to AD using ADMT from > > > Microsoft. > > > > > > > > > > > > > > > Everything is fine, except for what is viewing ACL's after > migration. > > > > > > > > > > > > > > > The ADMT documentation says : > > > > > > > > > > The security on resources does not need to be translated before the > > > source > > > > > account is deleted. However, for cosmetic reasons, you will most > > likely > > > > want > > > > > to translate security before deleting the source account. Once the > > > source > > > > > account is gone, the resource will no longer be able to resolve the > > SID > > > to > > > > a > > > > > name and the security properties will show as "account unknown". The > > > > access > > > > > will still work, but you can't resolve the SID name. If you upgrade > > the > > > > > resource domain to Windows 2000, Windows 2000 will be able to detect > > the > > > > SID > > > > > History and resolve the name properly. So, over time, you will want > to > > > > > manually clean up SID History and grant access to the new security > > > > > principals. > > > > > > > > > > > > > > > The problem (or good thing) is that these cosmetic reasons that ADMT > > > help > > > > > says are not right!!!!! in fact, after giving access in a file that > is > > > in > > > > an > > > > > AD DC to a NT4 domain user, if this NT4 user has been migrated > keeping > > > > > sidhistory, if we view the permissions of these file then the > > > permissions > > > > > are aparently set to the AD user, not the NT4 user!! > > > > > > > > > > > > > > > This is really astonishing since we EXPLICITELY gave permissions to > > the > > > > NT4 > > > > > USER!!! > > > > > > > > > > > > > > > Any one has an explanation? > > > > > > > > > > > > > > > This happends even if we delete the NT4 domain user!!!! permissions > > are > > > > > always said to be given to the AD user!! and if then we explciitely > > set > > > > > permissions to the AD user, we can see that permissions are set to > the > > > AD > > > > > user TWICE!!!!! > > > > > > > > > > > > > > > I'd like to know so why does the GUI shows the DA user instead of > the > > > real > > > > > user the ACL's are been given to... Why does it interprets so badly > > the > > > > > SID's? > > > > > > > > > > IS IT A BUG? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Ben Schorr [MVP - Outlook]: "Re: EVENT ID"
- Previous message: Rick: "Always Ask Before Opening This Type of File"
- In reply to: Angel_Venjador: "Re: ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
